security: don't restrict process info by default for module users
This commit is contained in:
parent
a36789b468
commit
44de5064cd
|
@ -42,8 +42,7 @@ in {
|
|||
|
||||
networking.firewall.enable = true;
|
||||
|
||||
# hideProcessInformation even if hardened kernel profile is disabled
|
||||
security.hideProcessInformation = true;
|
||||
nix-bitcoin.security.hideProcessInformation = true;
|
||||
|
||||
# Tor
|
||||
services.tor = {
|
||||
|
|
|
@ -1,33 +1,39 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ config, lib, pkgs, options, ... }:
|
||||
|
||||
{
|
||||
# Only show the current user's processes in /proc.
|
||||
# Users with group 'proc' can still access all processes.
|
||||
security.hideProcessInformation = true;
|
||||
options = {
|
||||
nix-bitcoin.security.hideProcessInformation = options.security.hideProcessInformation;
|
||||
};
|
||||
|
||||
# This mitigates a systemd security issue leaking (sub)process
|
||||
# command lines.
|
||||
# Only allow users with group 'proc' to retrieve systemd unit information like
|
||||
# cgroup paths (i.e. (sub)process command lines) via D-Bus.
|
||||
# This D-Bus call is used by `systemctl status`.
|
||||
services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
|
||||
(pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
|
||||
<busconfig>
|
||||
<policy context="default">
|
||||
<deny
|
||||
send_destination="org.freedesktop.systemd1"
|
||||
send_interface="org.freedesktop.systemd1.Manager"
|
||||
send_member="GetUnitProcesses"
|
||||
/>
|
||||
</policy>
|
||||
<policy group="proc">
|
||||
<allow
|
||||
send_destination="org.freedesktop.systemd1"
|
||||
send_interface="org.freedesktop.systemd1.Manager"
|
||||
send_member="GetUnitProcesses"
|
||||
/>
|
||||
</policy>
|
||||
</busconfig>
|
||||
'')
|
||||
];
|
||||
config = lib.mkIf config.nix-bitcoin.security.hideProcessInformation {
|
||||
# Only show the current user's processes in /proc.
|
||||
# Users with group 'proc' can still access all processes.
|
||||
security.hideProcessInformation = true;
|
||||
|
||||
# This mitigates a systemd security issue leaking (sub)process
|
||||
# command lines.
|
||||
# Only allow users with group 'proc' to retrieve systemd unit information like
|
||||
# cgroup paths (i.e. (sub)process command lines) via D-Bus.
|
||||
# This D-Bus call is used by `systemctl status`.
|
||||
services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
|
||||
(pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
|
||||
<busconfig>
|
||||
<policy context="default">
|
||||
<deny
|
||||
send_destination="org.freedesktop.systemd1"
|
||||
send_interface="org.freedesktop.systemd1.Manager"
|
||||
send_member="GetUnitProcesses"
|
||||
/>
|
||||
</policy>
|
||||
<policy group="proc">
|
||||
<allow
|
||||
send_destination="org.freedesktop.systemd1"
|
||||
send_interface="org.freedesktop.systemd1.Manager"
|
||||
send_member="GetUnitProcesses"
|
||||
/>
|
||||
</policy>
|
||||
</busconfig>
|
||||
'')
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user